HIPAA Security Risk Management Process
HIPAA Security Risk Management Process
I. Objective1
To meet the HIPAA Security Standards which require covered entities, or hybrid entity’s covered components to:
“Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information.” and, engage in risk management to, “Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply.”
Data covered by this standard include the following:
Electronic Protected Health Information (ePHI). ePHI is defined as:
Individually identifiable health information,
• Transmitted by electronic media;
• Maintained in electronic media;
Electronic media means:
• Electronic storage media including memory devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card; or
• Transmission media used to exchange information already in electronic storage media. Transmission media include, for example, the internet (wide-open), extranet (using internet technology to link a business with information accessible only to collaborating parties), leased lines, dial-up lines, private networks, and the physical movement of removable/transportable electronic storage media. Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media, because the information being exchanged did not exist in electronic form before the transmission.
II. Initial Risk Assessment
Step 1: Determine what should be considered in the Assessment. As part of the HIPAA
mandated Security Rules, each covered entity/component will conduct a complete Gap Analysis comparing current security practices surrounding each ePHI asset with the HIPAA Security Standards. In each instance where gaps exist, the threat posed by the gap will be considered in the Risk Assessment (see example 1 below). In addition to known gaps, the Risk Assessment will include any potential areas where threats and vulnerabilities to ePHI are possible but are not specifically identified (see example 2 below).
Example 1: Risk Identified in the Gap Analysis – A specific Desk Top computer is being used to maintain PHI and no back-up is done to secure that data in the case of damage or loss.
Example 2: Risk not identified in the Gap Analysis – Undocumented databases containing PHI may exist and be vulnerable to loss because appropriate security measures are not taken as a matter of standard operating procedure. In this case, it is believed that this risk may exist, but no specific occurrence documented.
Step 2: Rank Probability and Consequence. Each risk should be evaluated relative to
“probability”, and “consequence” using the following ranking scales:
Probability: The likelihood that the existing risk will actually result in some sort of adverse consequence to the organization and non-compliance with the HIPAA Security Standards.
|Ranking |Description |Probability |
|1 |Highly unlikely to occur |Negligible |
|2 |Unlikely to occur |Very Low |
|3 |Will not occur in the short term, and only possibly in long-term |Low |
|4 |Unsure if it will ever happen, but reasonable to assume it could |Medium |
|5 |Likely to happen, but could be a year or more away |High |
|6 |Likely to occur within short-term (1 week to a year) |Very High |
|7 |Certain to occur in the short-term |Extreme |
Consequence: The worse case outcome of non-compliance on University Operations and the Individual(s) identified by the ePHI.
|Ranking |Description |Consequence |
|1 |Almost no impact or damage to Operations or the Individual |Insignificant |
|2 |Minor damage to Operations, no adverse effect on Individual |Minor |
|3 |Impacts Operations and effects the Individual |Significant |
|4 |Substantial damage or disruption to Operations, or the Individual |Damaging |
|5 |Harm, disruption, or damage to Operations and Individual with recovery requiring a |Serious |
| |short to long-term effort | |
|6 |Almost non-recoverable harm, disruption, or damage to Operation and the Individual |Critical |
Once each risk is ranked, those rankings should be documented on the Risk Assessment
Spreadsheet, which will be provided to each covered entity, to determine a total risk score prior to mitigating efforts. The spreadsheet will calculate the Risk Score and set the risk as “High”, “Medium”, or “Low” automatically (see view below).
|Risk Description |16 |
|Risk Description /Threat and Potential Loss |Probabilit|Consequenc|Risk Score |Risk Value |
| |y of Loss |e | | |
|ePHI located on DeskTop in Faculty Member X's office is not routinely backed |4 |4 |16 |High |
|up. Risk = Loss of PHI (Identified in Gap Analysis) | | | | |
Step 3: An action describing how to eliminate or mitigate the risk should be documented for each
risk. There may be multiple options for mitigating a risk with differing costs and levels of impact. Document each option (see view below).
|Proposed Mitigation Action |Adjusted Risk |4 |12 |
|Mitigation Action |Loss |Loss |Revised Score |Risk Value Reduction |
| |Probability |Consequence | | |
|Option 1 (ranked): Staff assigned to complete daily |1 |4 |4 |12 |
|back-ups on CD, storing most current off-site | | | | |
|Option 2: Remove all PHI from desktop and place in | | | | |
|common database already secured in compliant manner. | | | | |
Step 4: Score the risk level assuming the mitigating action has been taken. If multiple options exist for mitigation, indicate which one is being scored (see view above). Again, the
spreadsheet will automatically calculate the new risk score and the reduction in risk due to the mitigating action. Working with the appropriate stakeholders in the covered entity/component consider the different costs and impacts on risk before making a final decision on which action will be taken when multiple options exist. In some cases, the risk may be ranked as having such negligible and insignificant impacts, no action may be taken. In that case, document no action and keep the probability and consequence rankings the same under the Risk Mitigation workspace of the spreadsheet.
Step 5: Provide an electronic copy of the completed assessment to the Program Manager for
the HIPAA Security Team. The information will be combined with all University Covered
Entity/Components to get an overall risk score and risk score reduction from mitigating actions. The assessments will be reviewed to see if any overlap or conflicts exists between the various areas, as well as, to identify areas where collaboration might be beneficial.
Step 6: Develop a detail plan for implementing the mitigation actions. Detail plans need to
describe how each mitigating action will be completed, the human or material resources
required to implement the measure, and the estimated implementation date. The plan
should be provided to the HIPAA Security Program Manager so that each action can be tracked as a milestone in the team’s work plan.
III. On-going Risk Management:
In an effort to implement security measures sufficient to reduce risks and vulnerabilities to reasonable and appropriate levels an on-going process of Security “Risk Management” will be standard operating procedure for all HIPAA covered entities/components. Risk Management will be the process in place to identify threats, document and identify mitigation measures, and track progress. The Risk Management Program will require the following four steps be taken on a scheduled basis according to University Security Policy:
Step 1: Identify any new risks and document on the risk assessment spreadsheet following the
steps outlined above for the “Initial Risk Assessment”.
Step 2: Review previously documented risks and determine if any risk has changed in nature,
or is no longer a risk. For example, a desk top computer maintaining ePHI that had not been backed up routinely is no longer used and the data has been saved on tape in accordance with record retention policies. The risk no longer exists. In this case change the new risk scores under the Mitigation Work Space to 0=probability and 0=consequence. Document the reason the risk no longer exists under the status column noting the date the risk was eliminated.
Step 3: Review each existing risk and update the status of all incomplete mitigation actions. Note
the date of the review, and any change in the expected implementation date.
Step 4: Review results with the designated Security Officer.
|Risk Mitigation |Mitigation Status |
|Proposed Mitigation Action |Adjusted Risk |4 |12 |Log History of Mitigation Action |
| | | | |Implementation Status |
|Proposed Mitigation Action |Loss |Loss |Revised |Risk Value| |
| |Probability|Consequenc|Score |Reduction | |
| | |e | | | |
|Staff assigned to complete daily back-ups on |1 |4 |4 |12 |Target date for completion 04/25/05 - on |
|CD, storing most current off-site | | | | |track 09/01/04 |
................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.
Related download
- it security policy office
- hipaa security risk management process
- the purpose of risk management is to identify potential
- information security clauses sat
- security assessment report template
- risk assessment tool
- risk management plan template
- asset list for iso 27001 risk assessment
- overview mssp services osibeyond
- cummins inc
Related searches
- treasury risk management pdf
- risk management course syllabus
- risk management professional certification
- advanced financial risk management pdf
- risk management exam quizlet
- top risk management consulting firms
- york risk management workers comp
- risk management work comp claims
- risk management exam answers
- treasury and risk management magazine
- online risk management certification programs
- best risk management certifications